New study finds static analysis and fuzz testing from Synopsys can save millions in remediation costs

By integrating testing early in the software development lifecycle, organizations may realize a high ROI.

Earlier this year, Synopsys commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) case study for an organization deploying Coverity, a static code analysis solution, and Defensics, an intelligent fuzzing solution. The goal of Forrester’s independent TEI study was to assess the economic and business benefits of one organization’s purchase of Coverity and Defensics.

Participating in the study was a leader in the entertainment and communications technology space and a publicly-traded company with revenues in the billions. Over a three year period the organization saw a return on investment of $9.5 million using Coverity and Defensics across several areas of the organization. Synopsys did not participate in any of Forrester’s interviews with the client or in any follow-up discussions.

In this particular organization, which supplies communications equipment to its customers who then white label it as their own, its brand reputation was at risk if security vulnerabilities were detected in its products. Its top two customers make up 35 percent of its total revenues so providing equipment with no security vulnerabilities was critical for the health of its business.

The organization began using Coverity ten years ago as part of its Software Development Lifecycle (SDCL). With regard to Coverity, the company found that defect and security vulnerabilities remediation expenses were reduced due to the use of static analysis on existing code bases and new code bases. Additionally, the company used static analysis for the maintenance of its existing code bases.

The organization also implemented Defensics shortly after a service interruption affected 1.5 million customers using its product. The first test run yielded 40 defects/vulnerabilities that QA testers were able to remediate in the testing phase, rather than in the production stage, significantly reducing the labor and cost required. Afterward, the use of Defensics to identify unknown vulnerabilities proactively spread across the organization.

In its analysis, Forrester found that the cost to find and fix bugs for this customer decreased significantly over the course of three years. They found a five-time reduction in defect/vulnerability remediation costs due to earlier detection in the development phase using Coverity. And a two-time reduction in defect/vulnerability remediation costs due to earlier detection in the testing phase using Defensics.

The use of fuzz testing from Synopsys also led to a faster time to market by about 4 months. The overall ROI was estimated to be 136 percent.